Sun Java System Access Manager version 7 2005Q4
Sample
 

Main Page

SAML Query Samples


1. Introduction

This sample is used to illustrate how to form a Query; how to write a sample AttributeMapper; how to send and process a SOAP message using the SAML SDK. The following is the program flow:

  1. The application first obtains the SSOToken
  2. It forms an AuthenticationQuery using the info in the SSOToken
  3. It forms a SOAP message and send it to the SAMLSOAPReceiver (SAMLSOAPReceiver process the SOAP request and reply with a SAML response.)
  4. It receives the SOAP message reply and obtains Authentication Assertion from it. In a real application, this Assertion can be obtained from Single Sign on using artifact or POST profile, or SAMLClient.
  5. It forms an AttributeQuery using the Authentication Assertion obtained from last step as SubjectConfirmationData
  6. It forms a SOAP message and sends it to the SAMLSOAPReceiver (SAMLSOAPReceiver processes the SOAP request, finds matching Attributes using the SampleAttributeMapper, and reply with a SAML response.)
  7. It receives SOAP reply and obtains the SAML Response from it.

For simplicity, this sample is designed to be run in the same JVM that the Access Manager is running on. It is possible to run the sample in a different JVM by modifying SAMLQueryServlet.java. The key is to send the AuthenticationQuery to the server that issue the SSOToken; send the AttributeQuery to the server that produces Attributes; and the server that issue the Authentication Assertion is on the Trusted Partner Sites of the server that receives AttributeQuery.


2. Instructions on Building, Configuring and Running the Sample

If not specified, instructions listed below apply to both Solaris and Windows machines. Solaris file path separator "/" is used in the instruction. Change it to "\" for Windows. <INSTALL_DIR> is the directory where Sun Java System Access Manager is installed.

  1. Go to <INSTALL_DIR>/samples/saml/query
  2. Edit the Makefile (make.bat for Windows) if needed. Modify the following environment variables if you do not want to use the default:
           BASE - Set this Variable to installed directory for Sun Java System
           Access Manager
           CLASSPATH - Reference to all the needed jars to compile this sample
           JAVA_HOME - Set this variable to your installation of JDK. It should
           be newer than JDK 1.3.1
           BASE_CLASS_DIR - Directory where all the compiled classes will be kept
           
  3. Run gmake (make.bat for Windows)
  4. Deploy SAMLQuerySample.jar in the web container.
        a. Go to BASE_CLASS_DIR
        b. Copy SAMLQuerySample.jar to <install-dir>/SUNWam/lib
        c. Add <install-dir>/SUNWam/lib/SAMLQuerySample.jar to web container's
           classpath. For example, for Express install, add to classpathsuffix of
           file <install-dir>/servers/<instance>/config/server.xml
        d. Add <servlet> and <servlet-mapping> to file
           <install-dir>/web-apps/services/WEB-INF/web.xml
           For example:
           <servlet>
           <servlet-name>querysample</servlet-name>
           <description>querysample</description>
           <servlet-class>SAMLQueryServlet</servlet-class>
           </servlet>
           <servlet-mapping>
           <servlet-name>querysample</servlet-name>
           <url-pattern>/querysample</url-pattern>
           </servlet-mapping>
        
  5. Restart the Sun Java System Access Manager.
  6. Login to Administration Console as amadmin
           http://<server.domain>:port/amconsole
  7. Click on "Federation" tab
  8. Click on "SAML" tab
  9. Click "edit" link of the only entry of "Site Identifiers" to go to "Edit Site Identifier" page. Make sure "Instance ID" has correct protocol and port if you changed Access Manager server protocol or port. Copy the Site ID value. It will be used at step 11.
  10. Click "Save" if you make any change or "Cancel" to go back to previous page.
  11. Click "New" under "Trusted Partners" to go to "Select trusted partner type and profile" page. Check "SOAP Query" under "Destination" and click "Next" to go to "Add New Trusted Partner" page. Set attributes like the following:
           Source ID: <the one obtained from step 9>
           Host List: <the ipaddress of the machine that Access Manager is running on>
           Attribute Mapper: SampleAttributeMapper
           
  12. Click on "Finish"
  13. Click on "Save"
  14. Invoke the servlet
    http://<server.domain>:port/<service_deploy_URI>/querysample
  15. You may also logout and login as other user and then invoke the servlet.
  16. You should see servlet response output similar to the following:
    The SAML Request to be sent is:
           <samlp:Request
           xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
           RequestID="ZadxB2mWot+mfSo7lQMU4MykzKw=" MajorVersion="1" MinorVersion="0"
           IssueInstant="2002-08-31T00:01:53Z">
           <samlp:AuthenticationQuery>
           <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
           <saml:NameIdentifier
           NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
           <saml:SubjectConfirmation>
           <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
           <saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
           KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl/
           bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
           @neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
           saml:SubjectConfirmationData>
           </saml:SubjectConfirmation>
           </saml:Subject>
           </samlp:AuthenticationQuery>
           </samlp:Request>
           
    The SOAP endpoint is:
    http://neuhome.red.iplanet.com:58080/amserver/SAMLSOAPReceiver
    The response received is
           <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
           ResponseID="IYQ5pYcm4sw8rE+mw81beABfnNA="
           InResponseTo="ZadxB2mWot+mfSo7lQMU4MykzKw=" MajorVersion="1" MinorVersion="0"
           IssueInstant="2002-08-31T00:01:53Z" Recipient="192.18.148.29">
           <samlp:Status>
           <samlp:StatusCode Value="samlp:Success">
           </samlp:StatusCode>
           </samlp:Status>
           <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1"
           MinorVersion="0" AssertionID="92yF88dhd1K2+tGOzFs8jJvF7Mw="
           Issuer="neuhome.red.iplanet.com:58080" IssueInstant="2002-08-31T00:01:53Z">
           <saml:Conditions NotBefore="2002-08-30T23:56:53Z" NotOnOrAfter="2002-08-31T00:02:53Z"
           >
           </saml:Conditions>
           <saml:AuthenticationStatement AuthenticationMethod="urn:com:sun:identity:LDAP"
           AuthenticationInstant="2002-08-30T23:57:13Z">
           <saml:Subject>
           <saml:NameIdentifier
           NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
           <saml:SubjectConfirmation>
           <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
           <saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
           KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl/
           bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
           @neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
           saml:SubjectConfirmationData>
           </saml:SubjectConfirmation>
           </saml:Subject>
           <saml:SubjectLocality IPAddress="192.18.148.29" /></saml:AuthenticationStatement>
           </saml:Assertion>
           </samlp:Response>
           
    The SAML Request to be sent is:
           <samlp:Request
           xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
           RequestID="G/AUygEJazkTo0zQJg5tlP8R/T8=" MajorVersion="1" MinorVersion="0"
           IssueInstant="2002-08-31T00:01:53Z">
           <samlp:AttributeQuery>
           <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
           <saml:NameIdentifier
           NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
           <saml:SubjectConfirmation>
           <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
           <saml:SubjectConfirmationData><saml:Assertion
           AssertionID="92yF88dhd1K2+tGOzFs8jJvF7Mw=" IssueInstant="2002-08-31T00:01:53Z"
           Issuer="neuhome.red.iplanet.com:58080" MajorVersion="1" MinorVersion="0"
           xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
           <saml:Conditions NotBefore="2002-08-30T23:56:53Z"
           NotOnOrAfter="2002-08-31T00:02:53Z">
           </saml:Conditions>
           <saml:AuthenticationStatement AuthenticationInstant="2002-08-30T23:57:13Z"
           AuthenticationMethod="urn:com:sun:identity:LDAP">
           <saml:Subject>
           <saml:NameIdentifier
           NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
           <saml:SubjectConfirmation>
           <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
           <saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
           KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl/
           bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
           @neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
           saml:SubjectConfirmationData>
           </saml:SubjectConfirmation>
           </saml:Subject>
           <saml:SubjectLocality
           IPAddress="192.18.148.29"></saml:SubjectLocality></saml:AuthenticationStatement>
           </saml:Assertion>
           </saml:SubjectConfirmationData>
           </saml:SubjectConfirmation>
           </saml:Subject>
           </samlp:AttributeQuery>
           </samlp:Request>
           
    The response received is:
           <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
           ResponseID="slFcTqP6CFq26xs3pnlpfpRID2I="
           InResponseTo="G/AUygEJazkTo0zQJg5tlP8R/T8=" MajorVersion="1" MinorVersion="0"
           IssueInstant="2002-08-31T00:01:53Z" Recipient="192.18.148.29">
           <samlp:Status>
           <samlp:StatusCode Value="samlp:Success">
           </samlp:StatusCode>
           </samlp:Status>
           <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1"
           MinorVersion="0" AssertionID="PhI5XH0rkUCNTlLBaIe4/Y5nT8w="
           Issuer="neuhome.red.iplanet.com:58080" IssueInstant="2002-08-31T00:01:53Z"
           >
           <saml:Conditions NotBefore="2002-08-30T23:56:53Z" NotOnOrAfter="2002-08-31T00:02:53Z"
           >
           </saml:Conditions>
           <saml:AttributeStatement >
           <saml:Subject>
           <saml:NameIdentifier
           NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
           <saml:SubjectConfirmation>
           <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
           <saml:SubjectConfirmationData><saml:Assertion
           AssertionID="92yF88dhd1K2+tGOzFs8jJvF7Mw=" IssueInstant="2002-08-31T00:01:53Z"
           Issuer="neuhome.red.iplanet.com:58080" MajorVersion="1" MinorVersion="0"
           xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
           <saml:Conditions NotBefore="2002-08-30T23:56:53Z"
           NotOnOrAfter="2002-08-31T00:02:53Z">
           </saml:Conditions>
           <saml:AuthenticationStatement AuthenticationInstant="2002-08-30T23:57:13Z"
           AuthenticationMethod="urn:com:sun:identity:LDAP">
           <saml:Subject>
           <saml:NameIdentifier
           NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
           <saml:SubjectConfirmation>
           <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
           <saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
           KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl
           bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
           @neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
           saml:SubjectConfirmationData>
           </saml:SubjectConfirmation>
           </saml:Subject>
           <saml:SubjectLocality
           IPAddress="192.18.148.29"></saml:SubjectLocality></saml:AuthenticationStatement>
           </saml:Assertion>
           </saml:SubjectConfirmationData>
           </saml:SubjectConfirmation>
           </saml:Subject>
           <saml:Attribute AttributeName="userpassword" AttributeNamespace="iPlanetAMUserService">
           <saml:AttributeValue
           xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
           {SSHA}3/GreMuCxplJr518lWknB6wADY0vVcIZBFX8Pw==</saml:AttributeValue>
           </saml:Attribute>
           <saml:Attribute AttributeName="uid" AttributeNamespace="iPlanetAMUserService">
           <saml:AttributeValue
           xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">amAdmin</saml:AttributeValue>
           </saml:Attribute>
           <saml:Attribute AttributeName="cn" AttributeNamespace="iPlanetAMUserService">
           <saml:AttributeValue
           xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">amAdmin</saml:AttributeValue>
           </saml:Attribute>
           <saml:Attribute AttributeName="inetuserstatus"
           AttributeNamespace="iPlanetAMUserService">
           <saml:AttributeValue
           xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">Active</saml:AttributeValue>
           </saml:Attribute>
           <saml:Attribute AttributeName="sn" AttributeNamespace="iPlanetAMUserService">
           <saml:AttributeValue
           xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">amAdmin</saml:AttributeValue>
           </saml:Attribute>
           </saml:AttributeStatement>
           </saml:Assertion>
           </samlp:Response>
           


End of Sample